Skip to content

Commit f39ad8c

Browse files
dregaddregad
committedJun 6, 2012
Make test for HTTPS protocol compliant with PHP documentation
Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes #14333 [1] http://php.net/manual/en/reserved.variables.server.php
·
release-2.27.1release-1.3.0-beta.1
1 parent f3420be commit f39ad8c

File tree

5 files changed

+21
-16
lines changed

5 files changed

+21
-16
lines changed
 

‎config_defaults_inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@
9898
$t_protocol = 'http';
9999
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {
100100
$t_protocol= $_SERVER['HTTP_X_FORWARDED_PROTO'];
101-
} else if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
101+
} else if ( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
102102
$t_protocol = 'https';
103103
}
104104

‎core/gpc_api.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -29,19 +29,21 @@
2929
* @uses config_api.php
3030
* @uses constant_inc.php
3131
* @uses error_api.php
32+
* @uses http_api.php
3233
*/
3334

3435
require_api( 'config_api.php' );
3536
require_api( 'constant_inc.php' );
3637
require_api( 'error_api.php' );
38+
require_api( 'http_api.php' );
3739

3840
/**
3941
* Determines (once-off) whether the client is accessing this script via a
4042
* secure connection. If they are, we want to use the Secure cookie flag to
4143
* prevent the cookie from being transmitted to other domains.
4244
* @global bool $g_cookie_secure_flag_enabled
4345
*/
44-
$g_cookie_secure_flag_enabled = isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
46+
$g_cookie_secure_flag_enabled = http_is_protocol_https();
4547

4648
/**
4749
* Determines (once-off) whether the version of PHP executing this script has

‎core/http_api.php

+10-2
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,14 @@
2929

3030
require_api( 'config_api.php' );
3131

32+
/**
33+
* Checks to see if script was queried through the HTTPS protocol
34+
* @return boolean True if protocol is HTTPS
35+
*/
36+
function http_is_protocol_https() {
37+
return !empty( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
38+
}
39+
3240
/**
3341
* Check to see if the client is using Microsoft Internet Explorer so we can
3442
* enable quirks and hacky non-standards-compliant workarounds.
@@ -143,14 +151,14 @@ function http_security_headers() {
143151
header( 'X-Frame-Options: DENY' );
144152
$t_avatar_img_allow = '';
145153
if ( config_get_global( 'show_avatar' ) ) {
146-
if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
154+
if ( http_is_protocol_https() ) {
147155
$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
148156
} else {
149157
$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
150158
}
151159
}
152160
header( "X-Content-Security-Policy: allow 'self';$t_avatar_img_allow; frame-ancestors 'none'" );
153-
if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
161+
if ( http_is_protocol_https() ) {
154162
header( 'Strict-Transport-Security: max-age=7776000' );
155163
}
156164
}

‎core/user_api.php

+3-8
Original file line numberDiff line numberDiff line change
@@ -814,15 +814,10 @@ function user_get_avatar( $p_user_id, $p_size = 80 ) {
814814
} else {
815815
$t_size = $p_size;
816816

817-
$t_use_ssl = false;
818-
if( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
819-
$t_use_ssl = true;
820-
}
821-
822-
if( !$t_use_ssl ) {
823-
$t_gravatar_domain = 'http://www.gravatar.com/';
824-
} else {
817+
if( http_is_protocol_https() ) {
825818
$t_gravatar_domain = 'https://secure.gravatar.com/';
819+
} else {
820+
$t_gravatar_domain = 'http://www.gravatar.com/';
826821
}
827822

828823
$t_avatar_url = $t_gravatar_domain . 'avatar/' . md5( $t_email ) . '?d=identicon&r=G&s=' . $t_size;

‎file_download.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@
141141
# attached files via HTTPS, we disable the "Pragma: no-cache"
142142
# command when IE is used over HTTPS.
143143
global $g_allow_file_cache;
144-
if ( ( isset( $_SERVER["HTTPS"] ) && ( "on" == utf8_strtolower( $_SERVER["HTTPS"] ) ) ) && is_browser_internet_explorer() ) {
144+
if ( http_is_protocol_https() && is_browser_internet_explorer() ) {
145145
# Suppress "Pragma: no-cache" header.
146146
} else {
147147
if ( !isset( $g_allow_file_cache ) ) {
@@ -182,7 +182,7 @@
182182
$t_content_type = $t_file_info_type;
183183
}
184184
}
185-
185+
186186
if ( $t_content_type_override )
187187
$t_content_type = $t_content_type_override;
188188

@@ -211,7 +211,7 @@
211211
$t_content_type = $t_file_info_type;
212212
}
213213
}
214-
214+
215215
if ( $t_content_type_override )
216216
$t_content_type = $t_content_type_override;
217217

@@ -226,7 +226,7 @@
226226
$t_content_type = $t_file_info_type;
227227
}
228228
}
229-
229+
230230
if ( $t_content_type_override )
231231
$t_content_type = $t_content_type_override;
232232

0 commit comments

Comments
 (0)
Please sign in to comment.